Show Menu
Cheatography
  1. Home >
  2. Software >

Volatility 3.0 Windows Cheat Sheet (DRAFT) by

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system.

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Instal­lation

1) Install Visual Studio C++ build tools (both 64 and 32 bit)
3) As of 02.2024 the plugin yara-p­ython is not yet updated so make sure to delete it from requir­eme­nts.txt before installing.
py -m pip install -r requir­eme­nts.txt
4) Download symbol tables and put and extract inside "volatility3\symbols":
Windows
Mac
Linux
5) Start the instal­lation by entering the following commands in this order.
py setup.py build
py setup.py install
Once the last commands finishes work Volatility will be ready for use.

OS Inform­ation

#Show OS & kernel details of the memory sample being analyzed.
py vol.py -f "­fil­ena­me" window­s.info

Hashes

#Dumps user hashes from memory
py vol.py -f "­fil­ena­me" window­s.h­ash­dum­p.H­ashdump

Cache

#Dumps lsa secrets from memory
py vol.py -f "­fil­ena­me" window­s.c­ach­edu­mp.C­ac­hedump

Enviro­nment Variables

#Display process enviro­nment variables
py vol.py -f "­fil­ena­me" window­s.e­nva­rs.E­nvars

Symlinks

#Scans for links present in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.s­yml­ink­sca­n.S­yml­inkScan
 

Network

#Scans for network objects present in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.n­etscan
#Traverses network tracking structures present in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.n­etstat

Registry

#Lists the registry hives present in a particular memory image.
py vol.py -f "­fil­ena­me" window­s.r­egi­str­y.h­ivelist
#Scans for registry hives present in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.r­egi­str­y.h­ivescan
#Lists the registry keys under a hive or specific key value.
py vol.py -f "­fil­ena­me" window­s.r­egi­str­y.p­rin­tke­y.P­rintKey --key <KE­Y>

Command line arguments

#Lists process command line arguments.
py vol.py -f "­fil­ena­me" window­s.c­mdl­ine.Cm­dLine

Services

#Lists process token sids.
py vol.py -f "­fil­ena­me" window­s.g­ets­erv­ice­sid­s.G­etS­erv­iceSIDs

Drivers

#List IRPs for drivers in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.d­riv­eri­rp.D­ri­verIrp
#Scans for drivers present in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.d­riv­ers­can.Dr­ive­rScan
 

Processes

#Get process list (EPROCESS)
py vol.py -f "­fil­ena­me" window­s.p­slist
#Get hidden process list(malware)
py vol.py -f "­fil­ena­me" window­s.p­sscan
#Get processes tree (not hidden)
py vol.py -f "­fil­ena­me" window­s.p­stree
#Dumps cached file contents from memory samples
py vol.py -f "­fil­ena­me" -o "­out­put­/di­r" window­s.d­ump­files --pid <PI­D>
#Prints the memory map
py vol.py -f "­fil­ena­me" -o "­out­put­/di­r" window­s.m­emmap --dump --pid <PI­D>
#Lists process open handles.
py vol.py -f "­fil­ena­me" window­s.h­andles --pid <PI­D>
#Lists the loaded modules in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.d­lllist --pid <PI­D>
#Lists process token privileges
py vol.py -f "­fil­ena­me" window­s.p­riv­ile­ges.Privs

Files

#Scans for file objects present in a particular windows memory image.
py vol.py -f "­fil­ena­me" window­s.f­ilescan
#Dumps cached file contents from Windows memory samples.
py vol.py -f -o "­out­put­/di­r" "­fil­ena­me" window­s.d­ump­files

Malware General

#Lists process memory ranges that potent­ially contain injected code.
py vol.py -f "­fil­ena­me" window­s.m­alf­ind.Ma­lfind
#Lists the system call table.
py vol.py -f "­fil­ena­me" window­s.s­sdt.SSDT